sony pictures entertainment suit

C lassA ction C om plaint–Pa g e1

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

K h esraw K arm and(C al. B arN o. 28 027 2)M atth ew J. Preusch (C a l. B arN o. 29 8 144)kkarm and@ kellerroh rback.comm preusch @ kellerroh rback.comK EL L ERRO H RB A C K L .L .P .1129 StateStreet, Suite8Santa B arbara, C alifornia 9 3101Tel.:(8 05) 456 -149 6 / F ax(8 05) 456 -149 7

Lynn Lincoln Sarko, pro h ac viceforth cominglsarko@ kellerroh rback.comG retch en F reem an C appio, pro h ac viceforth comingg cappio@ kellerroh rback.comC ariC am pen Laufenberg , pro h ac viceforth comingclaufenberg @ kellerroh rback.comA m yN .L. H anson, pro h ac viceforth cominga h a nson@ kellerroh rbak.comK EL L ERRO H RB A C K L .L .P .1201Th irdA ve., Suite3200Seattle, W ash ing ton 9 8 101Tel:(206 ) 6 23-19 00/ F ax:(206 ) 6 23-338 4

A ttorneysforPla intiffs

UN I TED STA TES D I STRI C T C O URT

C EN TRA L D I STRI C T O F C A L I F O RN I A

M ich aelC orona andC h ristina M ath is,indiv iduallyandon beh alf of oth erssim ilarlysituated,

Plaintiffs,

v .

SonyPicturesEntertainm ent, I nc.,

D efendant.

)))))))))))

C A SE N O .

C LA SS A C TI O N C O M PLA I N T

JURYTRI A L D EM A N D ED

Case 2:14-cv-09600-RGK-SH Document 1 Filed 12/15/14 of 45 Page ID #:1


1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

I . I N TRO D UC TI O N

PlaintiffsM ich aelC orona andC h ristina M ath is(“Plaintiffs”), indiv idually

andon beh alf of a lloth erssim ilarlysituated, alleg esth efollow ing a g a instSony

PicturesEntertainment, I nc. (“D efendant”or“Sony”), basedw h ereapplicableon

personalknow ledg e, inform ation andbelief, andth einvestig ation andresearch of

counsel.

I I . N A TURE O F TH E A C TI O N

1. A n epic nig h tm are, m uch bettersuitedto a cinem atic th rillerth an to

reallife, isunfolding in slow m otion forSony’scurrentandform erem ployees:

Th eirm ostsensitivedata, including over47 ,000SocialSecuritynum bers,

employm entfilesincluding salaries, medicalinform ation, andanyth ing elseth at

th eirem ployerSonytouch ed, h asbeen leakedto th epublic, andm ayeven bein th e

h andsof crim inals.

2. A titscore, th estoryof “w h atw entw rong ”atSonyboilsdow n to tw o

inexcusableproblem s:(1) Sonyfailedto secureitscom putersystem s, servers, and

databases(“N etw ork”), despitew eaknessesth atith asknow n aboutforyears,

becauseSonym adea “businessdecision to acceptth erisk”of lossesassociated

w ith being h acked;and(2) Sonysubsequentlyfailedto tim elyprotectconfidential

inform ation of itscurrentandform erem ployeesfrom la w -breaking h ackersw h o

(a ) foundth esesecurityw eaknesses, (b) obtainedconfidentialinform ation of

Sony’scurrentandformerem ployeesstoredon Sony’sN etw ork, (c) w arnedSony



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

th atitw ouldpubliclydissem inateth isinform ation, and(d) repeatedlyfollow ed

th roug h bypubliclydissem inating portionsof th einform ation th atth eyclaim to

h a veobtainedfrom Sony’sN etw orkth roug h m ultipledum psof internaldata from

Sony’sN etw ork.

3. Th esecurityw eaknessesin Sony’sN etw orkexposedsensitiv e

personalidentifying inform ation (“P I I ”) to cybercrim inals, w h o obtainedth atP I I

(th e“D ata B reach ”). Th isP I I includes, butisnotlim itedto, currentandform er

employeenam es, h om eaddresses, teleph onenum bers, birth dates, SocialSecurity

num bers, em ailaddresses, salariesandbonusplans, h ealth carerecords,

perform anceev aluations, scansof passportsandv isas, reasonsforterm ination,

detailsof severancepacka g esandoth ersensitiveem ploym entandpersonal

inform ation.

4. Sonyow eda leg aldutyto Plaintiffsandth eoth erC lassmem bersto

m aintain reasonableandadequatesecuritym easuresto secure, protect, and

safeg uardth eirP I I storedon itsN etw ork. Sonybreach edth atdutybyoneorm ore

of th efollow ing actionsorinactions:failing to desig n andim plementappropriate

firew allsandcom putersystem s, failing to properlyandadequatelyencryptdata,

losing controlof a ndfailing to tim elyre-g ain controloverSonyN etw ork’s

cryptog raph ic keys, andim properlystoring andretaining Plaintiffs’andth eoth er

C lassmem bers’PI I on itsinadequatelyprotectedN etw ork.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

5. A sth eresultof Sony’sfailureto secureitsN etw ork, Plaintiffs’and

th eoth erC lassmem bers’PI I w ascom prom ised, placing th em atan increasedrisk

of fraudandidentityth eft, andcausing directfinancialexpensesassociatedw ith

creditm onitoring , replacem entof com prom isedcredit, debitandbankcard

num bers, andoth ermeasuresneededto protectag ainstth em isuseof th eirP I I

arising from th eD ata B reach .

6 . Sonyisno strang erto data breach es, m aking itsv ulnerabilityto th is

latestattackparticularlysurprising a ndeg reg ious. F orexam ple, in A pril2011,

Sony’sPlayStation v ideo g a m enetw orksuffereda m ajorbreach w h en h ackers

stolem illionsof useraccountsfrom th eonlineg am ing serv ice.

7 . G iven th erepeateddata breach essufferedbySony, asw ellasrecent

sig nificantdata breach eventsin th eretailercontext, Sonyknew orsh ouldh a ve

know n th atsuch a securitybreach w aslikelyandtaken adequateprecautionsto

protectitscurrentandform erem ployees’PI I .

8 . I n fact, recentlyleakedem ailsandinternalassessmentsrevealth at

Sony’sow n inform ation tech nolog y(“IT”) departm entand, separately, itsg eneral

counselbelievedth atitstech nolog icalsecurityandem ailretention policiesran th e

riskof m aking too m uch data v ulnerableto attack. I f onlySonyh adh eededitsow n

adv icein tim e.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

I I I . JURI SD I C TI O N

9 . Th isC ourth asdiversityjurisdiction overth isaction pursuantto th e

C lassA ction F airnessA ct(“C A F A ”), 28 U.S.C . § 1332(d)(2). Plaintiff C orona and

D efendantarecitizensof differentstates. Th eam ountin controversyexceeds$5

m illion, a ndth erearem oreth an 100putativeclassmem bers.

10. Th isC ourth aspersonaljurisdiction overth eD efendantbecause

D efendantislicensedto do businessin C alifornia oroth erw iseconductsbusiness

in C alifornia.

11. Venueisproperin th isC ourtpursuantto 28 U.S.C . § 139 1(b) because

unla w fulpracticesarealleg edto h a vebeen com m ittedin th isfederaljudicial

districtandD efendantreg ularlyconductsbusinessin th isdistrict.

I V. PA RTI ES

12. Plaintiff M ich aelC orona iscurrentlya residentof th eStateof

Virg inia . Plaintiff C orona isa form erem ployeeof SonyPicturesEntertainm ent.

Sonyem ployedC orona from 2004to 2007 in C ulverC ity, C alifornia. Plaintiff

C orona’sPI I w ascomprom isedw h en h ackersaccessedSony’sN etw ork, including

butnotlim itedto h isfullna m e, SocialSecurityN um ber, birth date, form eraddress,

salaryh istory, andreason forresig ning . I n addition, th eP I I of Plaintiff C orona’s

w ifeanddaug h terw asalso com prom isedin th eD ata B reach . To date, Plaintiff

C orona h asincurredcosts, including spending over$7 00fora yearof identityth eft

protection from LifeLockforh im andh isfam ily. H eh asexpended40-50h ours



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

attem pting to sa feg uardh im self andh isfam ilym em bersfrom identityth eftor

oth erh arm scausedbyth ereleaseof th eirP I I asa resultof th eD ata B reach . G oing

forw ard, Plaintiff C orona anticipatesspending considerabletim eeach dayin an

effortto contain th eim pactof Sony’sD ata B reach on h im self andh isfam ily

m em bers.

13. Plaintiff C h ristina M ath isisa residentof th eStateof C alifornia w h o

istem porarilyw orking on an assig nm entoutof state. Plaintiff M ath isisa form er

employeeof SonyPicturesC onsum erProducts, a subsidiaryof Sony. Sony

employedPlaintiff M ath isfrom 2000to 2002in C ulverC ity, C alifornia. D espite

th efactth atsh eh asnotw orkedforSonyin 12years, Plaintiff M ath is’sPI I w as

com prom isedw h en h ackersaccessedSony’sN etw ork, including butnotlim itedto

h erSocialSecurityN um berandform eraddress. To date, Plaintiff M ath ish as

h eardnoth ing from Sonyaboutth ebreach oth erth an a form letterresponseto h er

em ailinquiryaboutth eD ata B reach . Plaintiff M ath ish asincurredcosts, including

spending over$300fora yearof identityth eftprotection from LifeLockfor

h erself. Sh eh asalreadyexpended10h oursattempting to sa feg uardh erself from

identityth eftandoth erh arm scausedbyth ereleaseof h erP I I asa resultof th e

D ata B reach . G oing forw ard, Plaintiff M ath isanticipatesspending considerable

tim eeach dayin an effortto contain th eim pactof Sony’sD ata B reach on h erself.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

14. D efendantSonyPicturesEntertainment, I nc. isa C orporation

org anizedunderth elaw sof D elaw are, w ith principalofficeslocatedin C ulver

C ity, C ountyof LosA ng eles, C alifornia.

V. F A C TUA L A L L EG A TI O N S

A . Sony’sD a ta B rea ch Exposedth eP I I of I tsC urrenta ndF orm erEm ployees

15. O n inform ation andbelief, on N ovem ber24, 2014, a h ackerg roup

th atcallsth em selvesG uardiansof Peace(“G O P”) tookoverSony’sN etw ork,

displayedth eirow n m essag esandskeleton im a g e, seizedcontrolof prom otional

Tw itteraccountsforSonym ov ies, andw arnedSonyth atith adobtained“secrets”

andth reatenedto leakth em to th eW eb:

16 . I n th edaysfollow ing th eD ata B reach , P I I of currentandform erSony

employees, asw ellasactorsandfilm m akersw erepubliclypublish edon th e

internet.

17 . Specifically, on D ecem ber2, 2014, data containing th eP I I of

th ousandsof Sonyem ployees, including , forexam ple, th eirnames, socialsecurity



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

num bers, birth dates, h om eaddresses, job titles, perform anceev aluations, scansof

passportsandv isas, salariesandbonusplans, reasonsforterm ination anddetailsof

severancepacka g es, w aspostedonline.

18 . Securityresearch erB rian K rebs, w h o w asth efirstto uncov eroth er

recenth ig h -profiledata breach esatcom paniessuch asTarg etC orporation and

H om eD epotI nc., reportedin a D ecem ber2, 2014blog postth atseveralof h is

sourcesh adconfirm edth atth eh ackersof Sony’sN etw orkh adstolen m oreth an 25

g ig a bytesof sensitivedata, including SocialSecuritynum bersandm edicaland

salaryinform ation, on tensof th ousandsof Sonyem ployees.

19 . K rebsreportedth ath eh adpersonallyseen severalfilescontaining

personalinform ation on Sonyem ployeesbeing tradedon onlinetorrentnetw orks.

Th efilesincludea M icrosoftExceldocum entth atcontainsth enam e, location,

employeeI D , netw orkusernam e, basesalaryanddateof birth form oreth an 6 ,8 00

people;a statusreportfrom A pril2014listing th enam es, datesof birth , Social

Securitynum bersandh ealth sav ing saccountdata on m oreth an 7 00Sony

employees;anda fileth atappearsto beth eproductof an internalauditfrom

Pricew aterh ouseC oopers, m adeup of screen sh otsof dozensof em ployees’federal

taxrecordsandoth ercom pensation data. K rebsfoundth ata “compreh ensive

search on LinkedI n fordozensof na mesin th e[M icrosoftExcel]listindicate[d]

th atv irtuallyallcorrespond[ed]to currentorformerSonyem ployees.”



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

20. O n th eevening of D ecem ber2, 2014, sourcesreportedth atSonyC EO

M ich aelLynton andco-ch airm an A m yPascalatSonysentan internalm em o to

6 ,500currentem ployeesth atconfirm edth ata “larg eam ountof confidentialSony

PicturesEntertainmentdata h asbeen stolen byth ecyberattackers, including

personnelinform ation,”statedth at“th epriv acyandsecurityof ourem ployeesare

of realconcern to us,”w arnedth at“w earenotyetsureof th efullscopeof

inform ation th atth eattackersh a veorm ig h trelease”and“unfortunatelyh a veto

askyou to assum eth atinform ation aboutyou in th epossession of th ecom pany

m ig h tbein th eirpossession,”andprom isedemployeesth atth eyw ouldreceivean

em ailon D ecem ber3, 2014th atoutlinedstepsto sig n up foridentityprotection

serv ices.

21. O n D ecem ber5, 2014, sourcesreportedth atSony’scurrentD ata

B reach h adleakedeven m orePI I th a n h adbeen reportedprev iously, consisting of

47 ,426 uniqueSocialSecuritynum bersandnam es, datesof birth , h om eaddresses,

em ailaddresses, salaryinform ation, including SocialSecuritynum bersof m ore

th an 15,200currentorform erSonyem ployees. Th eSocialSecuritynum bersw ere

copiedm oreth an 1.1m illion tim esth roug h outth e6 01filesstolen byh ackers

according to I dentityF inderLLC , w h osecom panyanalyzedth ebreach eddata. Th e

personalinform ation w asfoundin m oreth an 500spreadsh eets, 7 5PD F sand

severalW orddocum ents, noneof w h ich w ereprotectedbypassw ords. I dentity

F inderLLC C EO ToddF einm an explainedth atpersonalinform ation such as



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

SocialSecuritynum berssh ouldbestoredin oneplacew ith passw ordprotection

and“[l]ea v ing th esefilesopen isnotm aking th eh ackers’job difficult.”Th efiles

h a vesincebeen publiclypostedonlineon m ultiplefilesh aring w ebsites.

22. A lso on D ecem ber5, 2014, h ackersw erereportedto h a vesentan

em ailto em ployeesth atth reatenedth eirfam iliesif th eydidnotsupportG uardians

of Peaceg oals, stating :“Pleasesig n yournameto objectth efalse[sic]of th e

com panyatth eem ailaddressbelow if you don’tw antto sufferdam a g e. I f you

don’t, notonlyyou butyourfam ilyw illbein dang er.”

23. A sof D ecem ber8 , 2014, h ackersh adreleasedaround140g ig a bytes

of a cach eof internalSonyfilesandfilm sth eyclaim totalsatleast100terabytes—

approxim ately10tim esth eam ountof inform ation storedin th eLibraryof

C ong ress.

24. M oreover, B usinessI nsiderreportedth atSonyC EO M ich aelLynton

senta secondcom pany-w idem em o to currentem ployeeson D ecem ber8 , 2014

assuring th em th atSonyw asdoing everyth ing itcouldto protectem ployeesa ftera

seriesof cyber-attacksth atrevealedth eirpersonalinform ation, including Social

Securitynum bersandaddresses, stating th atth eF ederalB ureau of I nvestig ation

h as“dedicatedth eirseniorsta ff to th isg lobalinvestig ation”andth at“recog nized

expertsarew orking on th ism atterandlooking outforoursecurity.”

25. W h ilem oreth an 117 ,000cyber-attacksh itbusinesseseach day, th e

LosA ng elesTimesreportedth atP h illip Lieberm an, th epresidentof security



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

m ana g em entprog ram m akerLieberm an Softw are, saidfew of th oseattacksareon

th escaleof th eblow dealtto Sony. “It’sobv iousfrom th escopeof w h at’sbeen

doneth atth eintrudersow nedth eentireenv ironm ent. . . Sonylostcontrolof th eir

env ironment,”Lieberm an said.

26 . N o definitiveev idenceaboutth eperpetratorsh asbeen disclosed, but

severalsecurityfirm sh a vefocusedon th efactth atdata releasedbyth eattackers

includea num berof Sony’spriv atecryptog raph ic keys. K ev in B ocek, v ice

presidentatVena fi, explainedto B usinessw eekth atlosing controlof th ese

cryptog raph ic “keysto th eking dom ”is“a big deal.”O ncean attackerh asaccessto

th ecryptog raph ic keys, an attackercan g etonto encryptedserversw ith out

trig g ering intrusion detection system sbecauseth esesystemsassum eth atencrypted

data issafe.

27 . B usinessw eekreportedth atan attackusing cryptog raph ic keys

indicatesth atth eh ackerlikelyspenta sig nificantam ountof tim ew ith in th e

com pany’snetw ork. Th isisbecausecompaniesareoften slow to ch a ng eth eir

cryptog raph ic keys, even w h en th eyknow th eyarev ulnerable.

28 . Som ereportsh a vesug g estedth atth eattackersof Sony’sN etw ork

m ayh a veinitiatedth eirattackasearlyasa yearpriorto th epublic disclosures

reg arding th eD ata B reach in N ovem ber, 2014.

29 . Th us, anyonew ith accessto th ecryptog raph ic keysw ouldh a ve

accessto Sony’sN etw orkuntilth ecom panym ana g edto ch a ng eth em — a process



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

th atoften becom esdifficultw h en com panieslosetrackof allth ew aysth at

cryptog raph ic keysareused. F orexam ple, K asperskyLab pointsoutth ata sam ple

of th em alw areth ath ackersinstalledon th eSonyN etw orkduring th eD ata B reach

sh ow edtracesof being sig nedbya v a liddig italcertificatefrom Sony. A ccording

to th ecybersecurityfirm :

Th estolen Sonycertificates(w h ich w erealso leakedbyth eattackers)

can beusedto sig n oth erm alicioussam ples. I n turn, th esecan be

furth erusedin oth erattacks. . . . B ecauseth eSonydig italcertificates

aretrustedbysecuritysolutions, th ism akesattacksm oreeffective. . .

W e’veseen attackerslevera g etrustedcertificatesin th epast, asa

m eansof bypassing w h itelisting softw areanddefault-denypolicies.

30. Th us, if Sony’scryptog raph ic keysw eream ong th edata released,

Sony’sabilityto preventfurth erunauth orizedaccessto itsN etw orkw ouldbe

severelycom prom isedandadditional, if notong oing , breach esof itsN etw ork

w ouldbelikely.

31. I nform ation tech nolog yonlinepublication A RS Tech nica notably

reportedth atth eh ackersw ereableto collectsig nificantintellig enceon th eSony

N etw orkfrom Sony’sow n inform ation tech nolog ydepartm ent. A m ong stth efiles

publiclydisclosedth esecondw eekof D ecem ber2014w asa corporatecertificate

auth orityth atw asintendedto beusedin creating servercertificatesfor

D efendant’sI nform ation SystemsServ ice(I SS). Th iscorporatecertificate



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

auth oritym ayh a vebeen usedto createth eservercertificateth atw asusedto sig n a

laterversion of th em alw areth attookSony’sN etw orkofflinein N ovem ber2014.

B . D espiteSony’sL ong sta nding K now ledg eof I tsN etw ork’sSecurityW ea kness, I tM a dea B usinessD ecision to A cceptTh isRiskD espitePrev iousD a ta B rea ch es

32. Sonyh asbeen a long standing a ndfrequenttarg etforh ackers, butit

apparentlym adea businessdecision to acceptth eriskof lossesassociatedw ith

being h acked.

33. Putsim ply, Sonyknew aboutth erisksittookw ith itspastandcurrent

employees’data. Sonyg a m bled, anditsem ployees–pastandcurrent–lost.

34. F orexam ple, asreportedon th eG izm odo w ebsite, justtw o m onth s

beforeth eD ata B reach becam epublic, Sonyreleaseda scath ing internalI T

assessment. I n th ereportSony’sITpersonnelfoundbasic securityprotocolw ent

unh eededandw h atlittleITsecurityitdidh a vew aspla g uedw ith unm onitored

dev ices, m iscom m unication, anda lackof accountability.

35. F urth erm ore, to Sony’sch a g rin, em ailsfrom th eD efendant’sg eneral

counsel, Lea h W eil, w erereportedlyleakedasw ell. A m ong oth ertopics, th e

em ailsvoicedconcernsaboutth evolum eof data a v ailableon em ails. F orexam ple,

onereportedlystated, “W h ileundoubtedlyth erew illbeem ailsth atneedto be

retainedorstoredelectronicallyin a system oth erth an em ail, m anycan bedeleted,

andI am inform edbyourITcollea g uesth atourcurrentuseof th eem ailsystem for

v irtuallyeveryth ing isnotth ebestw ayto do th is.”



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

36 . A ccording to an analysisbysecurityfirm PacketN injas, m oreth an

9 00dom ainsth atappearto berelatedto th ecompanyh a vebeen com prom isedover

th elasttw elveyears.

37 . Sonyh adth eabilityandknow -h ow to im plementandm aintain

sufficientonlinesecurityconsistentw ith industrystandardsasa leaderin th e

com putertech nolog yindustry.

38 . N everth eless, asreportedbyth etech nolog yandbusinessw ebsite

C I O , Sony’sexecutiv edirectorof inform ation security, Jason Spaltro, m adea

businessdecision in N ovem ber2005notto ensureth esecurityof Sony’sN etw ork.

A tth attim e, an auditorw h o h adjustcom pleteda rev iew of Spaltro’ssecurity

practicestoldh im th atSonyh adseveralsecurityw eaknesses, including

insufficientlystrong accesscontrols, w h ich isa keySarbanes-O xleyrequirem ent.

39 . Spaltro subsequentlysaidin a 2007 interv iew w ith C I O th ath ew as

notw illing to putup a lotof m oneyto defendSony’ssensitiv einform ation, stating :

“It’sa v alidbusinessdecision to acceptth erisk.”

40. C I O reportedon A pril6 , 2007 , th atC enterforD em ocracyand

Tech nolog ypriv acyexpert, A riSch w artz, believedSpaltro’sreasoning to be

“sh ortsig h ted”becauseth ecostof notification isonlya sm allportion of th e

potentialcostof a data breach .

41. I n M ay2009 , reportssurfacedth atunauth orizedcopiesof Sony’s

custom ers’creditcardsw ereem ailedto an outsideaccount.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

42. I n January2011, h ackersm adeth ePlayStation g a meM odern W arfare

2unplayableth roug h th ePlayStation N etw ork.

C . Sony’sM a jorD a ta B rea ch in A pril2011

43. I n A pril2011, Sony’sPlayStation v ideo g am enetw orksuffereda

m ajorbreach in A pril2011in w h ich h ackersstolem illionsof useraccountsfrom

th eonlineg a m ing serv ice.

44. Tw o w eekspriorto th eA pril2011data breach , Sonyw as

anonym ouslyw arnedof th eim pending breach :

You h a veabusedth ejudicialsystem in an attem ptto censor

inform ation on h ow yourproductsw ork. . . N ow you w illexperience

th ew rath of A nonym ous. You saw a h ornet’snestandstuckyour

[expletive]in it. You m ustfaceth econsequencesof youractions,

A nonym ousstyle. . . Expectus(em ph asisadded).

45. D espiteth isdirectth reatto im m inentlybreach th eSonyN etw ork,

Sonyfailedto im plem entadequatesa feg uardsto protectit.

46 . A sreportedbyEng adg et.com , on M ay1, 2011, SonyC orporation

C h ief I nform ation O fficer, Sh injiH asejim a , adm ittedduring a pressconference

th atSony’sN etw orkw asnotsecureatth etimeof th eA pril2011data breach a nd

statedth atth eattackw asa “know n v ulnerability.”



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

47 . I n addition, on June8 , 2011, Sony’sD eputyPresident, reportedly

adm ittedSony’sN etw orkfailedto meetm inim um securitystandardsatth etim eof

th eA pril2011data breach .

48 . A sreportedbyth eG uardian, Sony’sK azH iraistatedth atSonyh as

“doneeveryth ing to bring ourpracticesatleastin linew ith industrystandardsor

better”w h en askedw h eth erSonyh adrev iseditssecuritysystemsfollow ing th e

A pril2011data breach .

49 . I n responseto th eA pril2011data breach , Sonyrepresentedth atit

im plem entedbasic m easuresto defenda g ainstnew attacks, including th efollow ing

system sth atsh ouldh a vebeen in placepriorto A pril2011:autom atedsoftw are

m onitoring ;enh a nceddata encryption;enh ancedabilityto detectintrusionsto th e

N etw ork, such asan early-w arning system to detectunusualactiv itypatterns;and

additionalfirew alls. A dditionally, Sonyh ireda C h ief I nform ation SecurityO fficer.

50. N everth eless, Joh n B um g arner, C h ief Tech nolog yO fficerof th e

independent, non-profitresearch instituteUnitedStatesC yber-C onsequencesUnit,

foundth atasof M ay10, 2011, unauth orizeduserscouldstillaccessinternalSony

resources, including security-m ana g em enttools. B um g arner’sresearch also

sh ow edth atth eproblem sw ith Sony’ssystemsw erem orew idespreadth an Sony

h adacknow ledg edatth attim e.

51. A fterth eA pril2011breach , Sonyofferedfreeidentityth eft

protection, am ong oth erbenefits, to PlayStation users.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

52. B usinessw eekreportedth atth ecauseof th eA pril2011breach w as

th atSonylostcontrolof itscryptog raph ic keys— w h ich isalso th efocusof several

securityfirmsinvestig ating th epresentD ata B reach of Sony’sN etw ork— and

notedth atif Sonyh asa g ain lostcontrolof itscryptog raph ic keys, itraisesth e

question w h yith adnotprotectedth em m orecloselyth reeyearslater.

53. C lassaction litig ation on beh alf of g am ersfollow edth eA pril2011

breach a ndSonya g reedto settleth oseclaim sin June2014in exch ang efor$15

m illion in g am es, onlinecurrencyandidentityth eftreim bursem ent.

D . Sony’sF a ilureto Prev entD a ta B rea ch esC ontinuedA fterA pril2011

54. C onsistentw ith M r. B um g arner’sresearch on th eextentof problem s

w ith th esecurityof Sony’sN etw ork, Sony’sbadinform ation tech nolog ysecurity

h abitscontinued.

55. Sony’sN etw orkw asa g ain breach edin June2011, comprom ising over

1m illion users’personalinform ation, including na m es, birth dates, em ail

addresses, passw ords, h omeaddresses, andph onenum bers.

56 . Th eh ackersclaim edth atitw asnotdifficultto breach Sony’s

N etw orkin June2011andth atth estolen data w asunencrypted.

57 . N um erousexpertsin th efielda g reeandattributeth eJune2011data

breach to an unsoph isticatedm eth odof h acking th atw ouldnoth a vebeen

successfulif Sonyh adeven th em ostbasic securitymeasuresin place.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

58 . F orexam ple, PC W orldtech nolog yjournalistTonyB radlyobserved

th atSony“seemsto ig norecom pliancerequirem entsandbasic securitybest

practices, so itisbasicallybeg g ing to beattacked.”B radleyfurth eradv isedth at

com paniessh ouldfollow security“bestpracticesanddata securitycom pliance

requirements”— andin sh ort— “[d]on’tbea Sony.”

59 . Likew ise, F redTouch etteof A ppRiverstated:“[t]h ereisno doubtth at

Sonyneedsto spendsom em ajoreffortin tig h tening up itsnetw orksecurity. Th is

latesth acka g ainstth em w asa seriesof sim pleSQ L I njection attacksag ainstits

w eb servers. Th issim plysh ouldnoth a veh appened.”

6 0. I n F ebruary2014, Sony’sexecutivedirectorof inform ation security

Jason Spaltro notifiedSonyC h ief F inancialO fficerD a v idH endlerth ata

sig nificantam ountof paym entinform ation h adbeen stolen off of Sony’sN etw ork

relating to 7 59 indiv idualsassociatedw ith th eatersin B razil. Th estolen paym ent

inform ation h adbeen storedas.txttextfilesandSonyh adbeen storing th istypeof

inform ation th isw aysince2008 .

6 1. Spalto brush edoff th esig nificanceof th eF ebruary2014attackfrom

th estandpointof leg alexposureandrecom m endedag ainstprov iding a ny

notification of th isbreach to indiv iduals.

6 2. I n contrast, Sonytookveryseriouslyth eth reatof denialof serv ice

attackson itsbusiness, particularlya fterw h ath adh appenedto th eSony



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

Playstation N etw orkandissuedw arning sof likelyfutureattacksin M arch 2014

andA pril2014.

6 3. I n A ug ust2014, a m onth a fterSonysettledth eclassaction litig ation

broug h tbyPlayStation g am ersasa resultof th eA pril2011breach — andjust

m onth sbeforeth eG O P h ackerstookresponsibilityforth ecurrentD ata B reach —

h ackersa g ain tookdow n th ePlayStation N etw orkandalso tookdow n Sony’s

Entertainm entN etw orkbyoverw h elm ing Sony’sN etw orkw ith “denialof serv ice”

attacks.

6 4. A lso in A ug ust2014, inform ation tech nolog yonlinepublication A RS

Tech nica reportedSony’sC h ief I nform ation SecurityO fficerP h ilReiting er

announcedh ew ouldbestepping dow n, noting th atth erew erea num berof arch aic

system sth ath adbeen in placeatSonyfora g esw ith plentyof potentialattack

points.

6 5. A ttackson Sony’sN etw orkh a vecontinuedto bereportedasrecently

asD ecem ber7 , 2014.

E. Th eF edera lG ov ernm entisC urrentlyI nv estig a ting Sony’sL a testD a taB rea ch

6 6 . O n D ecem ber1, 2014, th eF ederalB ureau of I nvestig ation (“F B I ”)

launch edan investig ation into Sony’scyber-intrusion.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

6 7 . Th eF B I confirm edon D ecem ber8 , 2014th atitw illadv iseSony’s

employeeson h ow to m ana g eth eleakof th eirpersonalinform ation in th em assive

SonyN etw orkD ata B reach .

6 8 . O n D ecem ber10, 2014, th eSenateC om m itteeon B a nking , H ousing

andUrban A ffa irsh elda cybersecurityh earing in w h ich N ew YorkSenator

C h arlesSch um erraisedconcernsoverth eorig in of Sony’scurrentD ata B reach .

F . Th eH a ckedP I I of Sony’sC urrenta ndF orm erEm ployeesw a sVa lua ble

6 9 . A sa resultof th eD ata B reach , cyber-crim inalsnow possessth eP I I of

Sony’scurrentandformerem ployees.

7 0. A sth eF ederalTradeC om m ission h asstated, P I I such asSocial

Securitynum bers, financialinform ation, andoth ersensitiveinform ation are“w h at

th iev esusem ostoften to com m itfraudoridentityth eft.”I n addition, onceidentity

th iev esh a vepersonalinform ation, “th eycan drain yourbankaccount, run up your

creditcards, open new utilityaccounts, org etmedicaltreatm enton yourh ealth

insurance.”

7 1. Leg itim ateorg anizationsandth ecrim inalunderg roundalike

recog nizeth ev alueof such data. O th erw ise, th eyw ouldnotpayfororm aintain it,

ora g g ressivelyseekit. C rim inalsseekpersonalandfinancialinform ation of

consum ersbecauseth eycan usebiog raph icaldata to perpetuatem oreandlarg er

th efts.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

G . SonyF a iledto Tim elya ndA dequa telyProtectC urrenta ndF orm erEm ployees’P I I

7 2. Sonyh asalreadyactedto protectitself byusing h acking m eth odsof

itsow n to com batilleg aldow nloadsof itsm ov iesth ath ackerspubliclyreleased

afterth eD ata B reach , according to Recode. Specifically, itish arnessing A m azon

W eb Serv ices(th ebackendth ath ostsN etflix, I nsta g ram andm anyoth ers) to

launch a distributeddenialof serv ice(D D oS) attackon w ebsitesh osting th estolen

assets.

7 3. Sonyh asnot, h ow ever, sim ilarlyactedto protectitscurrentand

form erem ployees.

7 4. Th isisim portantbecause, according to experts, oneoutof fourdata

breach notification recipientsbecam ea v ictim of identityfraud, in w h ich an

identityth ief usesanoth er’spersonalandfinancialinform ation such asth at

person’sname, address, andoth erinform ation, w ith outperm ission, to com m it

fraudoroth ercrim es.

7 5. F orinstance, identityth ievesm aycom m itv arioustypesof crim es

such asim m ig ration fraud, obtaining a driv er’slicenseoridentification cardin th e

v ictim’snam ebutw ith anoth er’spicture, using th ev ictim’sinform ation to obtain

g overnm entbenefits, orfiling a fraudulenttaxreturn using th ev ictim ’s

inform ation to obtain a fraudulentrefund.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

7 6 . I n addition, identityth ievesm ayg etm edicalserv icesusing

consum ers’lostinform ation orcom m itanynum berof oth erfrauds, such as

obtaining a job, procuring h ousing oreven g iv ing fa lseinform ation to police

during a n arrest.

7 7 . F urth erm ore, th eP I I th atSonyfailedto adequatelyprotectandth at

w asstolen in th eD ata B reach is“asg oodasg old”to identityth ievesbecause

identityth ievescan usev ictim s’personaldata to open new financialaccountsand

incurch arg esin anoth erperson’snam e, takeoutloansin anoth erperson’snam e,

andincurch arg eson existing accounts.

7 8 . F inally, th eG O P h ackersh a vealreadyusedth isP I I to h arassSony’s

employeesbyth reatening h arm to th eirfam iliesif th eydidnotcooperateby

sig ning a documentev idencing supportforth eG O P m ission andsubstantially

im pairing th eirabilityto w orkw h ilem alw arew asinstalledon th eSonyN etw ork.

7 9 . Th eUnitedStatesg overnm entandpriv acyexpertsacknow ledg eth at

itm aytakeyearsforidentityth eftto cometo lig h tandbedetected.

8 0. A ccording ly, asI dentityF inderLLC C EO ToddF einm an told

Law 36 0, th erealv ictim sareSony’semployeesandex-em ployees:“Th ey’renow

atriskforidentityth eftforth erestof th eirlives.”

8 1. O n inform ation andbelief, th eP I I postedto th eI nternetpertaining to

Sonyem ployeesw asnotlim itedto currentemployeesanddatesbackto employees



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

th atleftSonyaslong a g o as2000, andto actorsandfilm m akersw h o w orkedfor

Sonyasfarbackas19 8 4.

8 2. N otably, w h ileseveralform erSonyem ployeesreportedseeing th eir

personaldata in leakeddocum entsbyD ecem ber8 , 2014, oneform erh ig h -ranking

Sonyem ployeew h o leftth ecom panyearlierth isyeartoldC N ETth at:“Th e

studio’sdoneabsolutelynoth ing to reach outto us.”

8 3. O n D ecem ber9 , 2014, on inform ation andbelief, Sonybeg an

g enerallyresponding to inquiriesbyform erSonyem ployeesconcernedaboutth e

SonyN etw orkD ata B reach a ndpublic dissem ination of form erSonyem ployeePI I

stolen byth eh ackers.

8 4. Sony’sbelatedresponsedidnotconfirm w h eth erspecific currentor

form erem ployees’PI I h adbeen com prom ised, andinsteadputth eburden on th e

inquiring currentorform erem ployeesto actto “m inim izeyourriskof identity

th eft.”Sony’sresponsenotedth atform erSonyem ployeescouldexpectto receive

an em ailw ith in th enextseveraldaysth atw ouldincludeinstructionson h ow th ey

couldsig n up for12m onth sof identityprotection serv icesatno ch arg ew ith a th ird

partyprov iderof Sony’sch oosing .

8 5. I n conjunction w ith itsbelateddisclosure, Sonyputth eburden on

Plaintiffsandth eoth erC lassmem bersto m onitorfordam a g escausedbyth eD ata

B reach , cautioning th em to w atch outforunauth orizeduseof th eircreditcarddata

andidentity-th eftscams. I m plicitlyrecog nizing th edam a g ecausedbyth eD ata



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

B reach , Sonyencoura g edPlaintiffsandth eoth erC lassmem bersto “rem ain

v ig ilant, to rev iew youraccountstatem entsandto m onitoryourcreditreports.”

8 6 . O n D ecem ber10, 2014, Tw in C ities.com ech oedth econcern of

form erSonyem ployees, reporting th atnearly4,000peopleh adjoineda recently

form edF acebookg roup called“SonyEx-Em ployeesW orriedaboutth eI nfo

B reach ,”andth atm anyof th oseform erem ployeesw ereconcernedth atth eyare

unableto g etinform ation from th estudio abouth ow to reg isterforcredit

m onitoring a ndth eidentityprotection th atth estudio h asnow arrang edto offer“to

allcurrentandpotentiallya ffectedform erem ployeesandth eirdependents.”

8 7 . O n inform ation andbelief, on oraboutD ecem ber12, 2014, Sony’s

th irdpartyidentityprotection prov iderA llC learI D beg an prov iding former

employeesw ith activ ation codesth atth eycoulduseto sig n up forcredit

m onitoring a ndan identityth eftinsurancepolicy.

8 8 . Sony’slim itedofferof 12m onth sof creditm onitoring a ndinsurance

isinadequate. N eith erdoesanyth ing to preventidentityfraud. C reditm onitoring

onlyinform sa consum erof instancesof fraudulentopening of new accounts, not

fraudulentuseof existing creditcards. A g enciesof th efederalg overnm entand

priv acyexpertsacknow ledg eth atstolen data m aybeh eldform oreth an a year

beforebeing usedto com m itidentityth eftandoncestolen data h asbeen soldor

postedon th eI nternet, fraudulentuseof stolen data m aycontinueforyears.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

8 9 . O n inform ation andbelief, th eD ata B reach to th eSonyN etw ork

and/oraccepting creditm onitoring a ndidentityprotection m ayresultin credit

reporta g enciesplacing redfla g son currentandform erSonyem ployeecredit

reports, w h ich substantiallyim pairsv ictim s’abilityto obtain additionalcredit.

VI . C L A SS A C TI O N A L L EG A TI O N S

9 0. Plaintiffsbring th issuitasa classaction pursuantto Rule23of th e

F ederalRulesof C iv ilProcedure, on beh alf of h im self andalloth erssim ilarly

situated, asmem bersof a C lassinitiallydefinedasfollow s:

A llform erandcurrentem ployeesin th eUnitedStatesof Sonyw h ose

PersonallyI dentifia bleI nform ation w ascom prom isedbySony’s

securitybreach esth atbecam epublic starting in N ovem ber2014, and

anyrelatedsecuritybreach es.

9 1. Plaintiffsalso seekto certifya C alifornia Subclassconsisting of a ll

m em bersof th eC lassw h o areresidentsof C alifornia underth erespectivedata

breach statuteof C alifornia setforth in C ountI I I . Th isclassisdefinedasfollow s:

A llform erandcurrentem ployeesof Sonyw h o areresidentsof

C alifornia w h osePersonallyI dentifiableI nform ation w as

com prom isedbySony’ssecuritybreach esth atbecam epublic starting

in N ovem ber2014, andanyrelatedsecuritybreach es.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

9 2. Plaintiffsalso seekto certifya Virg inia Subclassconsisting of a ll

m em bersof th eC lassw h o areresidentsof Virg inia underth erespectivedata

breach statuteof Virg inia setforth in C ountIV. Th isclassisdefinedasfollow s:

A llform erandcurrentem ployeesof Sonyw h o areresidentsof

Virg inia w h osePersonallyI dentifiableI nform ation w ascom prom ised

bySony’ssecuritybreach esth atbecamepublic starting in N ovem ber

2014, andanyrelatedsecuritybreach es.

9 3. N um erosity. Th eC lassissufficientlynum erous, asapproxim ately

15,000Sonyem ployeesandform erem ployeesh a veh adth eirP I I com prom ised.

Th ePutativeC lassmem bersareso num erousanddispersedth roug h outth eUnited

Statesth atjoinderof allm em bersisim practicable. Putativ eC lassm em berscan be

identifiedbyrecordsm aintainedbyD efendant.

9 4. C om m on Q uestionsof F a cta ndL a w . C om m on questionsof fact

andlaw existasto allm em bersof th eC lassandpredom inateoveranyquestions

affecting solelyindiv idualm em bersof th eC lass, pursuantto Rule23(b)(3).

A m ong th equestionsof factandlaw th atpredom inateoveranyindiv idualissues

are:

(1) W h eth erSonyfailedto exercisereasonablecareto protect

Plaintiffs’andth eC lass’PI I ;

(2) W h eth erSonytim ely, accurately, andadequatelyinform ed

Plaintiffsandth eC lassth atth eirP I I h adbeen com prom ised;



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

(3) W h eth erSony’sconductw ith respectto th edata breach w as

unfairanddeceptive;

(4) W h eth erSonyow eda leg aldutyto Plaintiffsandth eC lassto

protectth eirP I I a ndw h eth erD efendantbreach edth isduty;

(5) W h eth erSonyw asneg lig ent;

(6 ) W h eth erSonyretainsem ployees’data fora reasonabletim e;

(7 ) W h eth erPlaintiffsandth eC lassareatan increasedriskof

identityth eftasa resultof Sony’sbreach esandfailureto protectPlaintiffs’

andth eC lass’PI I ;and

(8 ) W h eth erPlaintiffsandm em bersof th eC lassareentitledto th e

relief soug h t, including injunctiverelief.

9 5. Typica lity. Plaintiffs’claim saretypicalof th eclaim sof m em bersof

th eC lassbecausePlaintiffsandth eC lasssustaineddam a g esarising outof

D efendant’sw rong fulconductasdetailedh erein. Specifically, Plaintiffs’andth e

C lass’claim sarisefrom Sony’sfailureto installandm aintain reasonablesecurity

m easuresto protectPlaintiffs’andth eC lass’sPI I , andto tim elynotifyth em w h en

th esecuritybreach occurred.

9 6 . A dequa cy. Plaintiffsw illfairlyandadequatelyprotectth einterests

of th eC lassandh asretainedcounselcom petentandexperiencedin classaction

la w suits. Plaintiffsh a veno interestsanta g onistic to orin conflictw ith th oseof th e

C lassandth ereforeisan adequaterepresentativeforC lass.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

9 7 . Superiority. A classaction issuperiorto oth erav aila blem eth odsfor

th efairandefficientadjudication of th iscontroversybecauseth ejoinderof all

m em bersof th eputativeC lassisim practicable. F urth erm ore, th eadjudication of

th iscontroversyth roug h a classaction w illa v oidth epossibilityof an inconsistent

andpotentiallyconflicting adjudication of th eclaim sassertedh erein. Th erew illbe

no difficultyin th em ana g em entof th isaction asa classaction.

VI I . C A USES O F A C TI O N

C O UN T I :N eg lig ence

9 8 . Plaintiffsandth eC lassrealleg eandincorporatebyreferenceth e

alleg ationscontainedin each of th epreceding para g raph sof th isC om plaintasif

fullysetforth h erein.

9 9 . D efendantow eda dutyto th eC lassto exercisereasonablecarein

obtaining , securing , sa feg uarding , deleting andprotecting Plaintiffs’andth eC lass’

PI I w ith in itspossession orcontrolfrom being com prom ised, lost, stolen, accessed

andm isusedbyunauth orizedpersons. Th isdutyincluded, am ong oth erth ing s,

desig ning , m aintaining a ndtesting Sony’ssecuritysystemsto ensureth at

Plaintiffs’andC lassmem bers’PI I in Sony’spossession w asadequatelysecured

andprotected. Sonyfurth erow eda dutyto Plaintiffsandth eC lassto im plem ent

processesth atw oulddetecta breach of itssecuritysystem in a tim elym annerand

to tim elyactupon w arning a ndalertsincluding th oseg eneratedbyitsow n security

system s.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

100. Sonyow eda dutyto Plaintiffsandth emem bersof th eC lassto

prov idesecurity, including consistentw ith of industrystandardsandrequirem ents,

to ensureth atitssystem sandnetw orks, andth epersonnelresponsibleforth em ,

adequatelyprotectedth eP I I of itscurrentandform erem ployees.

101. Sonyow eda dutyof careto Plaintiffsandth em em bersof th eC lass

becauseth eyw ereforeseeableandprobablev ictim sof anyinadequatesecurity

practices. Sonyknew orsh ouldh a veknow n ith adinadequatelysa feg uardedits

N etw ork, particularlyin lig h tof itsm ultiplepriorbreach es, asnotedabove, andyet

Sonyfailedto takereasonableprecautionsto safeg uardcurrentandform er

employees’PI I .

102. Sonyow eda dutyto tim elyandaccuratelydiscloseto Plaintiffsand

m em bersof th eC lassth atth eirP I I h adbeen orw asreasonablybelievedto h a ve

been com prom ised. Timelydisclosurew asrequired, appropriateandnecessaryso

th at, am ong oth erth ing s, Plaintiffsandth em em bersof th eC lasscouldtake

appropriatemeasuresto av oididentifyth eftorfraudulentch arg es, including ,

m onitorth eiraccountinform ation andcreditreportsforfraudulentactiv ity, contact

th eirbanksoroth erfinancialinstitutions, obtain creditm onitoring serv ices, file

reportsw ith la w enforcem entandoth erg ov ernm entala g enciesandtakeoth ersteps

to m itig ateoram eliorateth edam a g escausedbySony’sm isconduct.

103. Plaintiffsandmem bersof th eC lassentrustedSonyw ith th eirP I I on

th eprem iseandw ith th eunderstanding th atSonyw ouldsafeg uardth eir



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

inform ation, andSonyw asin a position to protecta g ainstth eh arm sufferedby

Plaintiffsandmem bersof th eC lassasa resultof th eD ata B reach .

104. Sonyknew , orsh ouldh a veknow n, of th einh erentrisksin collecting

andstoring th eP I I of Plaintiffsandm em bersof th eC lassandof th ecritical

im portanceof prov iding adequatesecurityof th atinform ation.

105. Sony’sow n conductalso createda foreseeableriskof h arm to

Plaintiffsandmem bersof th eC lass. Sony’sm isconductincluded, butw asnot

lim itedto, itsfailureto taketh estepsandopportunitiesto preventandstop th e

D ata B reach assetforth h erein. Sony’sm isconductalso includeditsdecision notto

com plyw ith industrystandardsforth esa fekeeping a ndm aintenanceof th eP I I of

Plaintiffsandmem bersof th eC lass.

106 . Th roug h itsactsandom issionsdescribedh erein, Sonyunla w fully

breach editsdutyto usereasonablecareto protectandsecurePlaintiffs’andth e

C lass’PI I w ith in itspossession orcontrol. M orespecifically, D efendantfailedto

m aintain a num berof reasonablesecurityproceduresandpracticesdesig nedto

protectth ePI I of Plaintiffsandth eC lass, including , butnotlim itedto, establish ing

andm aintaining industry-standardsystemsto safeg uarditscurrentandform er

employees’PI I . G iven th eriskinv olvedandth eam ountof data atissue, Sony’s

breach of itsdutiesw asentirelyunreasonable.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

107 . Sonybreach editsdutiesto tim elyandaccuratelydiscloseth at

Plaintiffs’andC lassmem bers’PI I in Sony’spossession h adbeen orw as

reasonablybelievedto h a vebeen, stolen orcom prom ised.

108 . A sa directandproxim ateresultof D efendant’sbreach of itsduties,

Plaintiffsandmem bersof th eC lassh a vebeen h arm edbyth ereleaseof th eirP I I ,

causing th em to expendpersonalincom eon creditm onitoring serv icesandputting

th em atan increasedriskof identityth eft. Plaintiffsandm em bersof th eC lassh a ve

spenttim eandm oneyto protectth em selvesasa resultof D efendant’sconduct, and

w illcontinueto berequiredto spendtimeandm oneyprotecting th em selves, th eir

identities, th eircredit, andth eirreputations.

C O UN T I I :Viola tion of C a lifornia C onfidentia lityofM edica lI nform a tion A ct, C a l. C iv . C ode§ 56, et seq.

109 . Plaintiffsandth eC lassrealleg eandincorporatebyreferenceth e



110. C alifornia C iv ilC ode§ 56 , etseq., know n asth eC onfidentialityof

M edicalI nform ation A ct(“M edicalI nform ation A ct”), requiresem ployersw h o

receivem edicalinform ation to establish appropriateproceduresto ensureth e

confidentialityandprotection from unauth orizeduseanddisclosureof th at

inform ation. Th eseproceduresm ayinclude, butarenotlim itedto, instruction

reg arding confidentialityof em ployeesanda g entsh andling filescontaining



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

m edicalinform ation, andsecuritysystemsrestricting accessto filescontaining

m edicalinform ation.

111. F urth erm ore, th eM edicalI nform ation A ctproh ibitsemployersfrom

disclosing m edicalinform ation reg arding a patientw ith outfirstobtaining w ritten

auth orization from th epatient.

112. I n th eusualcourseof business, employers, including Sony, possess

andretain certain m ediation recordsandinform ation belong ing to itscurrentand

form erem ployees, including certain of Plaintiffs’medicalinform ation. D uring

th eirem ploym entw ith Sony, Plaintiffslivedin C alifornia.

113. A tallrelev anttim es, D efendanth ada leg aldutyto protectth e

confidentialityof Plaintiffs’andC lassmem bers’medicalinform ation.

114. B yfailing to ensureadequatesecuritysystem sw erein placeto

preventaccessanddisclosureof Plaintiffs’andC lassmem bers’priv atemedical

inform ation w ith outw ritten auth orization, D efendantv iolatedth eM edical

I nform ation A ctandth eirleg aldutyto protectth econfidentialityof such

inform ation.

115. Pursuantto C al. C iv . C ode§ 56 .36 , th osePlaintiffsandm em bersof

th eC lassw h osem edicalinform ation w ascom prom isedareentitledto nom inal

statutorydam a g esof $1,000perclassmem berasw ellasanyactualdam a g es

sustainedbyth osePlaintiffsandm em bersof th eC lass.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

C O UN T I I I :Viola tion of C a l. C iv . C ode§ 1798.80etseq.(O n B eh a lf O f Pla intiff M a th isa ndth eC a lifornia Subcla ss)

116 . Plaintiffsandth eC lassrealleg eandincorporatebyreferenceth e



117 . Section 17 9 8 .8 2of th eC alifornia C iv ilC odeprov ides, in pertinent

part, asfollow s:

(b) A nyperson orbusinessth atm aintainscom puterizeddata th at

includespersonalinform ation th atth eperson orbusinessdoesnot

ow n sh a llnotifyth eow nerorlicenseeof th einform ation of a ny

breach of th esecurityof th edata im m ediatelyfollow ing discovery, if

th epersonalinform ation w as, orisreasona blybeliev edto h a vebeen,

acquiredbyan unauth orizedperson.

* * *

(d) A nyperson orbusinessth atisrequiredto issuea securitybreach

notification pursuantto th issection sh allm eetallof th efollow ing

requirements:

(1) Th esecuritybreach notification sh allbew ritten in plain

lang ua g e.

(2) Th esecuritybreach notification sh allinclude, ata

m inim um , th efollow ing inform ation:



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

(A ) Th enam eandcontactinform ation of th ereporting

person orbusinesssubjectto th issection.

(B ) A listof th etypesof personalinform ation th atw ere

orarereasonablybelievedto h a vebeen th esubjectof a

breach .

(C ) I f th einform ation ispossibleto determ ineatth etim e

th enoticeisprov ided, th en anyof th efollow ing :(i) th e

dateof th ebreach , (ii) th eestim ateddateof th ebreach , or

(iii) th edaterang ew ith in w h ich th ebreach occurred. Th e

notification sh allalso includeth edateof th enotice.

(D ) W h eth ernotification w asdelayedasa resultof a la w

enforcem entinvestig ation, if th atinform ation ispossible

to determ ineatth etim eth enoticeisprov ided.

(E) A g eneraldescription of th ebreach incident, if th at

inform ation ispossibleto determ ineatth etimeth enotice

isprov ided.

(F ) Th etoll-freeteleph onenum bersandaddressesof th e

m ajorcreditreporting a g enciesif th ebreach exposeda

socialsecuritynum berora driver’slicenseorC alifornia

identification cardnum ber.

* * *



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

(f) A nyperson orbusinessth atisrequiredto issuea securitybreach

notification pursuantto th issection to m oreth an 500C alifornia

residentsasa resultof a sing lebreach of th esecuritysystem sh all

electronicallysubm ita sing lesam plecopyof th atsecuritybreach

notification, excluding a nypersonallyidentifiableinform ation, to th e

A ttorneyG eneral. A sing lesam plecopyof a securitybreach

notification sh allnotbedeemedto bew ith in subdiv ision (f) of

Section 6 254of th eG overnm entC ode.

(g ) F orpurposesof th issection, “breach of th esecurityof th esystem ”

m eansunauth orizedacquisition of com puterizeddata th at

com prom isesth esecurity, confidentiality, orinteg rityof personal

inform ation m aintainedbyth eperson orbusiness. G oodfaith

acquisition of personalinform ation byan em ployeeora g entof th e

person orbusinessforth epurposesof th eperson orbusinessisnota

breach of th esecurityof th esystem , prov idedth atth epersonal

inform ation isnotusedorsubjectto furth erunauth orizeddisclosure.

118 . Th eunauth orizedacquisition of Plaintiffs’andC lassmem bers’PI I

constituteda “breach of th esecuritysystem ”of Sony.

119 . Sonyunreasonablydelayedinform ing a nyoneaboutth ebreach of

securityof C alifornia Subclassmem bers’confidentialandnon-public inform ation

a fterSonyknew th eD ata B reach h adoccurred.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

120. D efendantfailedto discloseto C alifornia Subclassm em bers, w ith out

unreasonabledelay, andin th em ostexpedienttimepossible, th ebreach of security

of th eirunencrypted, ornotproperlyandsecurelyencrypted, P I I w h en th eyknew

orreasonablybelievedsuch inform ation h adbeen com prom ised.

121. Upon inform ation andbelief, no la w enforcementag encyinstructed

Sonyth atnotification to C alifornia Subclassmem bersw ouldim pedeinv estig ation.

122. Pursuantto Section 17 9 8 .8 4of th eC alifornia C iv ilC ode:

(a ) A nyw aiv erof a prov ision of th istitleiscontraryto public policy

andisv oidandunenforceable.

* * *

(e) A nybusinessth atv iolates, proposesto v iolate, orh asv iolatedth is

titlem aybeenjoined.

123. A sa resultof Sony’sv iolation of C al. C iv . C ode§ 17 9 8 .8 2, C alifornia

Subclassmem bersincurredeconom ic dam a g esrelating to expensesforcredit

m onitoring a ndoth eridentifyth eftprevention serv ices.

124. Plaintiff M ath is, indiv iduallyandon beh alf of th eoth erC alifornia

Subclassmem bers, seekallrem ediesav aila bleunderC al. C iv . C ode§ 17 9 8 .8 4,

including , butnotlim itedto:(a ) dam a g essufferedbyC alifornia Subclassmem bers

asalleg edabove;and(b) equitablerelief.

C O UN T I V:Viola tion of § 18.2-186.6 ., etseq.(O n B eh a lf O f Pla intiff C orona a ndth eVirg inia Subcla ss)



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

125. Plaintiffsandth eC lassrealleg eandincorporatebyreferenceth e



126 . Section 18 .2-18 6 .6 of th eC odeof Virg inia prov ides, in pertinentpart,

asfollow s:

(B ) I f unencryptedorunredactedpersonalinform ation w asoris

reasonablybelievedto h a vebeen accessedandacquiredbyan

unauth orizedperson andcauses, orth eindiv idualorentityreasonably

believesh ascausedorw illcause, identityth eftoranoth erfraudto any

residentof th eC om m onw ealth , an indiv idualorentityth atow nsor

licensescom puterizeddata th atincludespersonalinform ation sh all

discloseanybreach of th esecurityof th esystem follow ing discovery

ornotification of th ebreach of th esecurityof th esystem to th eO ffice

of th eA ttorneyG eneralandanya ffectedresidentof th e

C om m onw ealth w ith outunreasonabledelay. N oticerequiredbyth is

section m aybereasonablydelayedto allow th eindiv idualorentityto

determ ineth escopeof th ebreach of th esecurityof th esystem and

restoreth ereasonableinteg rityof th esystem . N oticerequiredbyth is

section m aybedelayedif, a fterth eindiv idualorentitynotifiesa la w -

enforcem enta g ency, th elaw -enforcem enta g encydeterm inesand

adv isesth eindiv idualorentityth atth enoticew illim pedea crim inal



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

orciv ilinv estig ation, orh om elandornationalsecurity. N oticesh allbe

m adew ith outunreasonabledelaya fterth elaw -enforcem enta g ency

determ inesth atth enotification w illno long erim pedeth e

investig ation orjeopardizenationalorh om elandsecurity.

(C ) A n indiv idualorentitysh alldiscloseth ebreach of th esecurityof

th esystem if encryptedinform ation isaccessedandacquiredin an

unencryptedform , orif th esecuritybreach inv olvesa person w ith

accessto th eencryption keyandth eindiv idualorentityreasonably

believesth atsuch a breach h ascausedorw illcauseidentityth eftor

oth erfraudto anyresidentof th eC om m onw ealth .

(D ) A n indiv idualorentityth atm aintainscom puterizeddata th at

includespersonalinform ation th atth eindiv idualorentitydoesnot

ow n orlicensesh allnotifyth eow nerorlicenseeof th einform ation of

anybreach of th esecurityof th esystem w ith outunreasonabledelay

follow ing discoveryof th ebreach of th esecurityof th esystem , if th e

personalinform ation w asaccessedandacquiredbyan unauth orized

person orth eindiv idualorentityreasonablybelievesth epersonal

inform ation w asaccessedandacquiredbyan unauth orizedperson.

(E) I n th eeventan indiv idualorentityprov idesnoticeto m oreth an

1,000personsatonetim epursuantto th issection, th eindiv idualor

entitysh allnotify, w ith outunreasonabledelay, th eO fficeof th e



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

A ttorneyG eneralandallconsum erreporting a g enciesth atcom pile

andm aintain fileson consum erson a nationw idebasis, asdefinedin

15U.S.C . § 16 8 1a(p), of th etim ing , distribution, andcontentof th e

notice.

127 . F orpurposesof th issection, “personalinform ation”m eansth efirst

nam eorfirstinitialandlastnam ein com bination w ith andlinkedto anyoneor

m oreof th efollow ing data elem entsth atrelateto a residentof th eC om m onw ealth ,

w h en th edata elem entsareneith erencryptednorredacted:

(a ) Socialsecuritynum ber;

(b) D river’slicensenum berorstateidentification cardnum berissued

in lieu of a driver’slicensenum ber;or

(c) F inancialaccountnum ber, orcreditordebitcardnum ber, in

com bination w ith anyrequiredsecuritycode, accesscode, or

passw ordth atw ouldperm itaccessto a resident’sfinancialaccount.

128 . F orpurposesof th issection, “notice”means:

(1) W ritten noticeto th elastknow n postaladdressin th erecordsof th e

indiv idualorentity;

(2) Teleph onenotice;

(3) Electronic notice;or

(4) Substitutenotice, if th eindiv idualorth eentityrequiredto prov idenotice

dem onstratesth atth ecostof prov iding noticew illexceed$50,000, th e



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

a ffectedclassof Virg inia residentsto benotifiedexceeds100,000residents,

orth eindiv idualorth eentitydoesnoth a vesufficientcontactinform ation or

consentto prov idenoticeasdescribedin subdiv isions1, 2, or3of th is

definition. Substitutenoticeconsistsof allof th efollow ing :

(a ) E-m ailnoticeif th eindiv idualorth eentityh ase-m ailaddresses

forth em em bersof th ea ffectedclassof residents;

(b) C onspicuousposting of th enoticeon th ew ebsiteof th e

indiv idualorth eentityif th eindiv idualorth eentitym aintainsa w ebsite;

and

(c) N oticeto m ajorstatew idem edia.

129 . F urth er, th e“notice”requiredbyth issection sh allincludea

description of th efollow ing :

(1) Th eincidentin g eneralterm s;

(2) Th etypeof personalinform ation th atw assubjectto th eunauth orized

accessandacquisition;

(3) Th eg eneralactsof th eindiv idualorentityto protectth epersonal

inform ation from furth erunauth orizedaccess;

(4) A teleph onenum berth atth eperson m aycallforfurth erinform ation and

assistance, if oneexists;and

(5) A dv iceth atdirectsth eperson to rem ain v ig ilantbyrev iew ing account

statementsandm onitoring freecreditreports.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

130. “B reach of th esecurityof th esystem ”m eansth eunauth orizedaccess

andacquisition of unencryptedandunredactedcomputerizeddata th at

com prom isesth esecurityorconfidentialityof personalinform ation m aintainedby

an indiv idualorentityaspartof a databaseof personalinform ation reg arding

m ultipleindiv idualsandth atcauses, orth eindiv idualorentityreasonablybelieves

h ascaused, orw illcause, identityth eftoroth erfraudto anyresidentof th e

C om m onw ealth . G oodfaith acquisition of personalinform ation byan em ployeeor

ag entof an indiv idualorentityforth epurposesof th eindiv idualorentityisnota

breach of th esecurityof th esystem , prov idedth atth epersonalinform ation isnot

usedfora purposeoth erth an a la w fulpurposeof th eindiv idualorentityorsubject

to furth erunauth orizeddisclosure.

131. Th eunauth orizedacquisition of Plaintiffs’andC lassmem bers’PI I

constituteda “breach of th esecurityof th esystem ”of SonyunderSection 18 .2-

18 6 .6 .A . of th eC odeof Virg inia .

132. Sonyunreasonablydelayedinform ing a nyoneaboutth ebreach of

securityof Virg inia Subclassmem bers’confidentialandnon-public inform ation

a fterSonyknew th eD ata B reach h adoccurred.

133. D efendantfailedto discloseto Virg inia Subclassmem bers, w ith out

unreasonabledelay, andin th em ostexpedienttimepossible, th ebreach of security

of th eirunencrypted, ornotproperlyandsecurelyencrypted, personalinform ation

w h en th eyknew orreasonablybelievedsuch inform ation h adbeen com prom ised.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

134. Upon inform ation andbelief, no la w enforcementag encyinstructed

Sonyth atnotification to Virg inia Subclassm em bersw ouldim pedeinvestig ation.

135. N oth ing in Section 18 .2-18 6 .6 .I . of th eC odeof Virg inia lim itsan

indiv idualfrom recovering directeconom ic dam a g esfrom a v iolation of th is

section.

136 . A sa resultof Sony’sv iolation of Section 18 .2-18 6 .6 . of th eC odeof

Virg inia , Virg inia Subclassmem bersincurredeconom ic dam a g esrelating to

expensesforcreditm onitoring a ndidentityth eftprotection. I n addition, th eyh a ve

expendedm anyh oursattem pting to safeg uardth emselv esfrom identityth eftor

oth erh arm scausedbyth ereleaseof th eirP I I asa resultof th eD ata B reach ,

including freezing th eircreditrecordsandoth eridentifyth eftprevention serv ices.

137 . Plaintiff C orona, indiv iduallyandon beh alf of th eoth erVirg inia

Subclassmem bers, seekallrem ediesav aila bleunderSection 18 .2-18 6 .6 .I . of th e

C odeof Virg inia , including , butnotlim itedto:(a ) dam a g essufferedbyVirg inia

Subclassmem bersasalleg edabove;and(b) equitablerelief.

PRA YERF O RREL I EF

W H EREF O RE, Plaintiffs, on beh alf of th em selvesandth eC lasssetforth

h erein, respectfullyrequeststh efollow ing relief:

A . Th atth eC ourtcertifyth iscaseasa classaction pursuantto F ederal

Ruleof C iv ilProcedure23(a ), (b)(2) and(b)(3), a nd, pursuantto F ederalRuleof



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

C iv ilProcedure23(g ), appointPlaintiffsandPlaintiffs’counselof recordto

representsaidC lass;

B . F inding th atSonybreach editsdutyto sa feg uardandprotect

Plaintiffs’andth eC lass’PI I th atw ascom prom isedin th esecuritybreach th at

becamepublic know ledg estarting in N ovem ber2014;

C . Th atth eC ourtaw ardPlaintiffsandth eC lassappropriaterelief,

including a nyactualandstatutorydam a g es, restitution anddisg org em ent.

D . Th atth eC ourtaw ardequitable, injunctiveanddeclaratoryrelief as

m aybeappropriateunderapplicablestatelaw s. Plaintiffs, on beh alf of th eC lass

seeksappropriateinjunctiverelief, including butnotlim itedto:(i) th eprov ision of

creditm onitoring a nd/orcreditcardm onitoring serv icesforth eC lassforatleast

fiv eyears;(ii) th eprov ision of bankm onitoring a nd/orbankm onitoring serv ices

forth eC lassforatleastfiveyears;(iii) th eprov ision of identityth eftinsurancefor

th eC lassforatleastfiveyears;(iv ) th eprov ision of creditrestoration serv icesfor

th eC lassforatleastfiveyears;(v ) a w arding Plaintiffsandth eC lassth e

reasonablecostsandexpensesof suit, including attorneys’fees, filing fees, and

insuranceforth eC lass;and(v i) requiring th atSonyreceiveperiodic com pliance

auditsbya th irdpartyreg arding th esecurityof itscom putersystem susedfor

storing currentandform erem ployeedata, to ensurea g ainstth erecurrenceof a

data breach byadopting a ndim plem enting bestsecuritydata practices;

E. A w arding th edam a g esrequestedh erein to Plaintiffsandth eC lass;



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

F . A w arding a llcosts, including experts’feesandattorneys’fees, and

th ecostsof prosecuting th isaction;

G . A w arding pre-judg m entandpost-judg m entinterestasprescribedby

law ;and

H . G ranting additionalleg alorequitablerelief asth isC ourtm ayfindjust

andproper.

JURYTRI A L D EM A N D ED

Plaintiffsh erebydem anda trialbyjuryon allissuesso triable.



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

D A TED th is15th dayof D ecem ber, 2014.

K EL L ERRO H RB A C K L .L .P .

B y s/ K h esraw K arm andK h esraw K arm and(SB N 28 027 2)M atth ew J. Preusch (SB N 29 8 144)kkarm and@ kellerroh rback.comm preusch @ kellerroh rback.com1129 StateStreet, Suite8Santa B arbara, C alifornia 9 3101Tel.:(8 05) 456 -149 6 , F ax(8 05) 456 -149 7

Lynn Lincoln Sarko, pro h ac viceforth cominglsarko@ kellerroh rback.comG retch en F reem an C appio, pro h ac viceforth comingg cappio@ kellerroh rback.comC ariC am pen Laufenberg , pro h ac viceforth comingclaufenberg @ kellerroh rback.comA m yN .L. H anson, pro h ac viceforth cominga h a nson@ kellerroh rbak.com1201Th irdA ve., Suite3200Seattle, W ash ing ton 9 8 101Tel:(206 ) 6 23-19 00/ F ax:(206 ) 6 23-338 4

Attorneys for Plaintiffs Michael Coronaand Christina Mathis


sony pictures entertainment suit

Documents

c ti o n c o

preusch c

h anson

c appio

c alifornia

d i stri c t o f c

pro h ac viceforth cominga

c w arnedsonycase